lolbas-project/lolbas

LOLBAS stands for Living Off The Land Binaries and Scripts. The project catalogs Windows tools and files that come pre-installed with the operating system or are signed by Microsoft, but can be used in unexpected ways by attackers or security testers. The term "living off the land" refers to the technique of using tools that are already on a target system, rather than bringing in external malware. The core idea is that many legitimate Windows programs have hidden capabilities beyond their stated purpose. For example, a file transfer utility might also be able to execute arbitrary code, or a diagnostic tool might be able to extract password information. By documenting these behaviors, security teams can better understand what an attacker might do using only built-in tools, and defenders can watch for unusual usage patterns of common programs. Each entry in the project covers a specific binary, script, or library and lists what unexpected things it can do, such as downloading files, running other programs, compiling code, bypassing user account controls, or evading logs. To be included, a file must be signed by Microsoft and must have functionality that goes beyond its intended design in ways that would be relevant to an attacker or red team tester. The YAML files in this repository are the data source behind a public searchable website at lolbas-project.github.io, where you can browse and search the catalog. The repository itself stores the structured data files and accepts contributions when someone discovers a new entry that meets the criteria. The project is used by both offensive security professionals (red teams testing defenses) and defensive security professionals (blue teams setting up detection rules). It is maintained by a group of security researchers as a community reference.